The invention relates to computer security, and in particular to performing computer security operations in hardware virtualization configurations.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, and rootkits, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others.
Modern computing applications often employ hardware virtualization technology to create simulated computer environments known as virtual machines (VM), which behave in many ways as physical computer systems. In applications such as server consolidation and infrastructure-as-a-service, several virtual machines may run simultaneously on the same computer system, sharing the hardware resources among them, thus reducing investment and operating costs. Each virtual machine may run its own operating system and/or software, separately from other virtual machines. Due to the steady proliferation of computer security threats such as malware and spyware, each such virtual machine potentially requires protection.
Some security solutions protect a host system by intercepting a call to a specific function, using any of a multitude of techniques generically known in the art as hooking Exemplary hooking methods include, among others, inline hooking, patching a system service descriptor table (SSDT) of the host system, and configuring specific software components executing on the host system to be notified about certain events via minifilter notifications (a feature offered by some operating systems, such as Windows®). Hooking a function typically results in redirecting a call to the respective function to another entity, such as a security application. The security application may thus detect an attempt by a software entity to perform a certain action, such as writing to a disk file, or accessing a memory space used by another entity. The security application may then analyze the attempt to determine, for instance, if it is indicative of a security threat.
Conventional hooking methods often place a substantial computational burden on the host system, degrading user experience and productivity. Moreover, such conventional methods are sometimes vulnerable, i.e., may be incapacitated by a malicious entity executing on the host system. Therefore, there is considerable interest in developing alternative hooking methods, and in particular, hooking methods optimized for virtualization environments.